Tech —

Surveillance spyware migrates from Windows to Mac OS X

An espionage campaign targeting pro-Tibetan groups is employing malware that …

E-mails such as this one contain a booby-trapped Microsoft Word document that installs a backdoor trojan on Macs that run unpatched versions of Office.
E-mails such as this one contain a booby-trapped Microsoft Word document that installs a backdoor trojan on Macs that run unpatched versions of Office.

Researchers have uncovered a malware-based espionage campaign that subjects Mac users to the same techniques that have been used for years to surreptitiously siphon confidential data out of Windows machines.

The recently discovered campaign targets Mac-using employees of several pro-Tibetan non-governmental organizations, and employs attacks exploiting already patched vulnerabilities in Microsoft Office and Oracle's Java framework, Jaime Blasco, a security researcher with AlienVault, told Ars. Over the past two weeks, he has identified two separate backdoor trojans that get installed when users open booby-trapped Word documents or website links included in e-mails sent to them. Once installed, the trojans send the computer, user, and domain name associated with the Mac to a server under the control of the attackers and then await further instructions.

"This particular backdoor has a lot of functionalities," he said of the most recent trojan he found. Victims, he said, "won't see almost anything."

Blasco's findings, which are documented in blog posts here and here, are among the first to show that Macs are being subjected to the same types of advanced persistent threats (APTs)  that have plagued Windows users for years—not that the shift is particularly unexpected. As companies such as Google increasingly adopt Macs to limit their exposure to Windows-dependent exploits, it was inevitable that the spooks conducting espionage on them would make the switch, too.

"What [attackers] have been installing via APT-style, targeted attack campaigns for Windows, they're now starting to do for Macs, too," said Ivan Macalintal, a security researcher at antivirus provider Trend Micro. Macalintal has documented some of the same exploits and trojans Blasco found.

Another researcher who has confirmed the findings is Alexis Dorais-Joncas, Security Intelligence Team Leader at ESET. In his own blog post, he documented the encryption one of the trojans uses to conceal communications between infected Macs and a command and control server. He also described a series of queries sent to a test machine he infected that he believes were manually typed by a live human at the other end of the server. They invoked Unix commands to rummage through Mac folders that typically store browser cookies, passwords, and software downloads.

Commands monitored by ESET researcher Alexis Dorais-Joncas. They appear to have been manually typed in real time by someone at the other end of a command and control server.
Commands monitored by ESET researcher Alexis Dorais-Joncas. They appear to have been manually typed in real time by someone at the other end of a command and control server.

"The purpose here clearly is information stealing," he wrote.

He noted that the backdoor he observed was unable to survive a reboot on Macs that weren't running with administrator privileges. That's because the /Library/Audio/Plug-Ins/AudioServer folder used to stash one of the underlying malware files didn't allow unprivileged users to save data there. A more recent trojan analyzed by AlienVault's Blasco has overcome that shortcoming, by saving the file in the less-restricted /Users/{User}/Library/LaunchAgents/ folder, ensuring it gets launched each time the user's account starts.

The backdoors are installed by exploiting critical holes in two pieces of software that are widely used by Mac users. One of the vulnerabilities, a buffer overflow flaw in Microsoft Office for the Mac, was patched in 2009, while the other, an unspecified bug in Java, was fixed in October. The Java exploit is advanced enough that it reads the user agent of the intended victim's browser, and based on the results unloads a payload that's unique to machines running either Windows or OS X.

Reports of malware that target Macs have risen steadily over the past 36 months. Most of the reported infections rely on the gullibility of users, tricking them into believing their systems are already compromised and can be disinfected by downloading and installing a piece of rogue antivirus software. Others have exploited software weaknesses to install data-stealing trojans, often requiring little interaction on the part of users. While these reports are more rare, they date back to at least July 2010.

In his blog post, Trend Micro's Macalintal said the Word exploit he observed "dropped a Gh0stRat payload," a reference to a huge malware-based spy network uncovered three years ago that infiltrated government and private offices in 103 countries. The Word exploit works by embedding Mac-executable files known as "Mach-Os" into the booby-trapped document file, Macalintal added.

Seth Hardy, a Senior Security Analyst who has been monitoring espionage attacks on pro-Tibetan groups for an organization called Citizen Lab, said it's too early to know if the recent campaign is related to Gh0stRat. Hardy—whose Citizen Lab was a principal organization for the research and publication of the Tracking Ghostnet and Shadows in the Cloudcyber espionage reports and is based at the Munk School of Global Affairs—went on to say that Macs are likely to play are growing role in future attacks.

"While APT-for-Mac (iAPT?) isn't exactly new, it does seem like the attackers are catching on that many of these organizations use Macs more than the general public," he wrote in an e-mail. "It's also interesting that the attackers are developing multi-platform attacks: we've seen the Mac malware bundled with similar Windows malware, and the delivery system will identify the user's operating system and run the appropriate program."

Channel Ars Technica